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1. Introductions and apologies 


1.1. Christopher Graham was unable to attend the meeting 
due to another diary commitment. David Eagles of BDO was 
welcomed to his first Audit Committee meeting. 


2. Declaration of interests 
2.1. There were no declarations of interest. 


3. Minutes and action points from the Audit Committee 
meeting of the 8 September 


3.1. The minutes had been agreed by correspondence. 


3.2. The action point for Simon Entwisle to provide the 
Committee with update reports on the new finance system 
remained outstanding as an update was required at the 
March 2015 meeting. 


3.3. Simon Entwisle confirmed that the Management Board 
action to finalise the IT strategy was also complete. The 
action had related to detailed plans for various IT projects 
where there had been uncertainty about what exactly was to 
be done and the cost. The IT and Finance Steering Groups 
had reviewed the plans and expenditure and Executive Team 
were confident that the various projects would be deliver. 


3.4. Simon Entwisle advised that work was on-going on a 
more high level strategy looking towards the end of IT 
service contracts in 2016 and the need to ensure the right 
model for IT procurement for the ICO was identified and 
followed. Grant Thornton was involved in this work. 


3.5: There was discussion about retaining some of the 
proceeds of civil monetary penalties paid to the ICO, to cover 
the cost of chasing payment in some cases. The NAO had 
provided information to the ICO who were in discussion with 
the Ministry of Justice. It was not straight forward however 
and there had not been much movement. 


3.6. It was suggested that the matter should be taken 
forward in conjunction with work coming out of the Triennial 
Review which might impact on funding and on work looking 
at amending the notification fee structure. 


Action point 1: Louise Byers to provide an update to 
the next Audit Committee on the retaining of proceeds 
from civil monetary penalties to the next meeting. 


4. Deputy Chief Executive Officer’s update 


4.1. Simon Entwisle provided the Committee with an update 
on major issues from his perspective. 


July 2014 pay remit 


4.2. The ICO had been negotiating with the Ministry of 
Justice and Treasury on the pay remit since February and 
was currently awaiting confirmation that the pay remit had 
been agreed and could be discussed with trade union side. 
The fact that agreement had been delayed was a frustration 


for the Executive given the desire to get as good a deal as 
possible for staff as early as possible. Uncertainty over the 
remit did also have an impact on financial planning for 
2015/16. 


Operational performance 


4.3. Operational performance was steady. Changes 
introduced to the handling of data protection complaints in 
April were working with the ICO now focusing more on issues 
of regulatory importance. In respect of freedom of 
information the ICO had moved some resources to 
proactively monitor the performance of public authorities in 
responding to information requests. 


Expenditure 2014/15 


4.4. Income and expenditure were on track for 2014/15. In 
particular there was more certainty over expenditure on IT 
projects and the need for dedicated resources from the IT 
service contractor to take forward specific projects had been 
agreed. However there was one important project which had 
been delayed. It was expected that this might be completed 
before Christmas. 


Enforcement 


4.5. There was a large on-going investigation into criminal 
offences under the Data Protection Act which was taking up a 
lot of resources. The National Crime Agency was supplying 
staff to assist. 


Action point 2: Peter Bloomfield to ensure 
consideration of any risks arising from enforcement 
work took place. 


Long term IT service provision 


4.6. As noted earlier the ICO was beginning to consider how 
best to procure its IT services post 2016. 


Action point 3: James Edmands to provide Simon 
Entwisle with recent NAO work on IT outsourcing to 
help inform decisions. 


Triennial review 


4.7. The Ministry of Justice is undertaking a triennial review 
of the ICO, providing a robust challenge to the continuing 
need for individual NDPBs (in function and form) and then of 
how it delivers its functions. There was a Ministry of Justice 
consultation ending on 16 January and it was expected that 
the whole process would be completed by the end of March. 


5. Risk register 


5:1; The new risk register and the main areas of risk were 
considered. 

Money 

5:2: There was discussion on payment levels for notification 


fees. It was recognised that it was not easy to identify how 
many data controllers needed to register and hence how 
successful the ICO was at ensuring compliance. And planned 
research on how best to identify the level of data processing 
by data controllers (to feed into decisions on the structure of 
notification fees) had been delayed pending the results of the 
Triennial Review. 


5.3. The Committee highlighted their view that further work 
needed to be done in this area. 


People 


5.4. The results of the recent staff survey (including the 
response rate) and staff concerns about pay were considered. 
This was identified by the Committee as an issue for 
Management Board. 


Action point 4: Peter Bloomfield to discuss with the 
Commissioner inclusion of people issues as an item for 
discussion at the next Management Board. 


5.5; Uncertainty over accommodation in Wilmslow was also 
noted as a factor influencing how staff felt. The need for 
concluding the matter quickly might need to be escalated at 
the Ministry of Justice. 


5.6. The status of the people risk after mitigation was 
questioned. 
5.7. The risk to the ICO from cyber threats was also raised. 


This was discussed further under agenda item 8. 


6. Finance 


6.1. An oral update on the replacement of the finance 
system was provided. The project was progressing well; on 
budget and ahead of time. There was a good working 
relationship with the IT service contractor and other 
companies involved. The new system and the transition to it 
had also been discussed with the auditors. 


6.2. It was planned to move to the new system in February 
and to use the new system to produce the end of year 


accounts. However if there were problems the existing 
system data could be used. 


6.3. It was confirmed that the Ministry of Justice required 
financial reporting on an accruals basis. 


7. Integrated assurance 


7.1. There was an oral update on the Integrated Assurance 
Project. This was being led by the Information Governance 
team and focused on information risks. Working with 
information asset owners the team had identified actions to 
improve the handling of information across the ICO. A further 
report was coming to Leadership Group in February. 


8. Outstanding audit recommendations 
8.1. Dave Wells, Head of IT, attended for this item. 


8.2. Clearance of the majority of the outstanding internal 
and external audit recommendations was noted. In respect of 
the IT related recommendations it was accepted that the 
dates agreed had been overly optimistic. The outstanding 
recommendation related to IT capacity (hardware) issues. 


8.3. There was further discussion on cyber security issues. 


9. Internal audit 


9.1. Grant Thornton presented their report on the recent 
Integrated Assurance: Management Assurance review. This 
involved a review of the different levels of management 
scrutiny and assurance over key areas of the organisation. 
Grant Thornton found that the ICO had a well-developed 
network of second line management led assurance functions. 


9.2. The internal audit progress report was also presented. 
The Integrated Assurance review had been completed. The 
Project review (covering Project Eagle and the Finance 
System Replacement Project) had started. Work was in-train 
for the Corporate and Financial Planning review due to take 
place in January. 


9.3. An update on the results of the Project Review was 
given. Project Eagle had been the first time the ICO had used 
agile working in an organisational (as opposed to IT) project. 
Some staff involved had had previous agile experience on IT 
projects, and the project had worked well. There had been 


some communication issues identified during the lessons 
learnt exercise. 


9.4. There was a general need to better identify criteria to 
assess the priority of projects across the ICO. 


10. External audit 


10.1. James Edmands introduced David Eagles, Partner at 
BDO. BDO had been appointed by the NAO to undertake the 
detailed audit work needed to support the C&AG’s opinion. It 
was confirmed that the responsibility for recommending the 
form of audit opinion to the C&AG remained with the NAO. 


10.2. The Audit planning report on the 2014/15 financial 
statement audit was presented. It included the significant 
financial statement risks relating to implementation of a new 
finance system, allocation of resources by function and 
management override of controls. 


10.3. The main audit work would take place during May. 


10.4. The Audit Committee confirmed the risks covered in the 
planning report. 


10.5. The Committee welcomed the continuity of staffing at 
the NAO. 


11. Fraud, whistleblowing and security incidents 


11.1. Peter Bloomfield introduced the report on fraud, 
whistleblowing and security incidents at the ICO for the 
quarter June to September 2014. 


12. Committee self assessment 


12.1. Peter Bloomfield introduced the results of the recent 
survey across governance committees. There were no major 
issues identified for the committee to consider. The provision 
of Audit Committee paper electronically was welcomed. 


12.2. Peter Bloomfield advised the Committee that work 
looking at how best to present the corporate governance 
functions of the ICO to staff was due to start. 


13. Any other urgent business 
13.1. There was no any other business. 


